a mission-centric framework for cyber situational awareness...wang, eds., cyber situational...
TRANSCRIPT
A Mission-Centric Framework for Cyber Situational Awareness Sushil Jajodia George Mason University
SECRYPT 2012
Motivation
An ever increasing number of critical applications and services rely on Information Technology infrastructures Increased risk of cyber attacks Increased negative impact of cyber attacks
Attackers can exploit network configurations and vulnerabilities (both known and unknown) to incrementally penetrate a network and compromise critical systems Manual analysis is labor-intensive and error-prone Vulnerabilities are often interdependent, making traditional point-
wise vulnerability analysis ineffective Services and machines on a network are interdependent
Need for tools that provide analysts with a “big picture” of the cyber situation
2
CSA Capabilities: Enterprise Network
3
Internet
Web Server (A)
Mobile App Server (C)
Catalog Server (E)
Order Processing Server (F)
DB Server (G)
Local DB Server (D)
Local DB Server (B)
Current situation. Is there any ongoing attack? If yes, where is the attacker?
Impact. How is the attack impacting the enterprise or mission? Can we asses the damage?
Evolution. How is the situation evolving? Can we track all the steps of an attack?
Behavior. How are the attackers expected to behave? What are their strategies?
Forensics. How did the attacker create the current situation? What was he trying to achieve?
Information. What information sources can we rely upon? Can we assess their quality?
Prediction. Can we predict plausible futures of the current situation?
Scalability. How can we ensure that solutions scale well for large networks?
CSA Framework Architecture
Situation Knowledge
Reference Model
Index & Data Structures
Monitored Network
Analyst
Alerts/Sensory Data
Topological Vulnerability Analysis Cauldron Switchwall
Vulnerability Databases
NVD OSVD CVE
Stochastic Attack Models
Generalized Dependency
Graphs
Graph Processing
and Indexing
Dependency Analysis
NSDMiner
Scenario Analysis & Visualization
Network Hardening
Unexplained Activities Model
Adversarial modeling
Attack Graphs
Network Vulnerability Analysis 5
Motivation for Network Vulnerability Analysis
SECRYPT 2012
6
Current security measures largely independent Generate isolated vulnerability data Manual process requiring high expertise Administrators must make sense of this, then respond
appropriately and quickly Error prone due to complexity, volume, and frequent
changes in security data and network configurations
Establishing and understanding the context is a mandatory and necessary first step for successful cyber incident response
Vulnerability Scanner
WWWFrontendRouter
BackendRouter
Firewall
ServerLAN
ClientLAN
DMZ
W2K Web
Server
W2KExchange
Server
DMZRouter
Linux Mail
Server
`
WinXPClient
`
W2K ProClient
5 Server
3 Router
2 Firewall
2 PC
LegendSymbol Count Description
OracleDB
Server
W2K Web
Server
Firewall
DBLAN
7
Vulnerability Scanner
41 Vulns 15 Vulns
160 Vulns
158 Vulns
47 Vulns
60 Vulns
107 Vulns
Attack Target
External Attacker
8
Limitations of Vulnerability Scanners Generate overwhelming amount of data Example Nessus scan
Elapsed time: 00:48:07 Total security holes found: 588 High severity: 120 Low severity: 370 Informational: 98
No indication of how vulnerabilities can be combined Can an outside attacker obtain access to the DB server? Where does a security administrator start?
9
Limitations of IDSs
Generate overwhelming number of alerts Many false alerts – normal traffic or failed
attacks Alerts are isolated Incomplete alert information No indication of how alerts can be combined Where does a security administrator start? Is the attacker trying to obtain access to DB
server? Require extensive human intervention
10
The reality – security concerns are highly interdependent.
Simply Listing Problems Misses the Big Picture!
11
Attack Graphs
An attacker breaks into a network through a chain of exploits where each exploit lays the groundwork for subsequent exploits
Chain is called an attack path Set of all possible attack paths form an attack
graph Generate attack graphs to mission critical
resources Report only those vulnerabilities associated with
the attack graphs
Related Work
SECRYPT 2012
12
Phillips and Swiler NSPW 1998 Templeton and Levitt NSPW 2000 Ritchey and Ammann S&P 2000 Wing, Jha et al. CSFW 2002 Ammann et al CCS 2002 Ou et al. CCS 2006 Sawilla and Ou ESORICS 2008
Attack Graph Visualization Problem
SECRYPT 2012
13
Even small networks can yield complex attack graphs!
14
15
16
Network Hardening
17
ftp_rhosts(0,1)
ftp(0,1) user(0) ftp(0,2)
ftp_rhosts(0,2)
trust(1,0) trust(2,0)
rsh(0,1)
rsh(0,2)
ftp_rhosts(2,1)
ftp(2,1) user(2)
local_bof(2)
trust(1,2) sshd(2,1) sshd(0,1)
sshd_bof(2,1) sshd_bof(0,1) rsh(2,1)
user(1) ftp(1,2)
ftp_rhosts(1,2) local_bof(1)
rsh(1,2)
trust(2,1)
root(2)
root(1)
𝐺𝐺 = (𝐸𝐸 ∪ 𝐶𝐶,𝑅𝑅𝑟𝑟 ∪ 𝑅𝑅𝑖𝑖)
𝐸𝐸
𝐸𝐸: set of exploits
Attack graph 𝑮𝑮 = (𝑬𝑬 ∪ 𝑪𝑪,𝑹𝑹𝒓𝒓 ∪ 𝑹𝑹𝒊𝒊) 𝑬𝑬: set of
𝑪𝑪: set of
𝑪𝑪𝒊𝒊 ⊆ 𝑪𝑪: set of
𝑹𝑹𝒓𝒓: requires relationship
𝑹𝑹𝒊𝒊: implies relationship
conditions
exploits
initial conditions
Hardening Solutions 1) 𝑓𝑓𝑓𝑓𝑓𝑓 0,2 , 𝑓𝑓𝑓𝑓𝑓𝑓(0,1)
2) 𝑓𝑓𝑓𝑓𝑓𝑓 0,1 , 𝑓𝑓𝑓𝑓𝑓𝑓 0,2 , 𝑠𝑠𝑠𝑠𝑠𝑠𝑠(0,1)
18
Security Metrics
Alarm Correlation And Attack Response
Sensor Placement
Network Hardening
Cauldron has Numerous Applications
Related Publications
SECRYPT 2012
19
Sushil Jajodia, Peng Liu, Vipin Swarup, Cliff Wang, eds., Cyber Situational Awareness: Issues and Research, ISBN: 98-1-4419-0139-2, Springer International Series on Advances in Information Security, 2009, 252 pages.
Massimiliano Albanese, Sushil Jajodia, Steven Noel, "A time-efficient approach to cost-effective network hardening using attack graphs," Proc. 42nd Annual IEEE/IFIP International Conference on Dependable and Networks (DSN), Boston, Mass, June 25-28, 2012.
Generalized Dependency Graphs
Dependency Analysis 20
Limitations of Attack Graphs
SECRYPT 2012
21
Do not encode enough information about the attacker’s behavior
Do not provide a mechanism to evaluate impact of each attack pattern on the enterprise
Scalability issues have not been fully addressed - Ideally, attacks must be recognized in real-time
Example of Decision Making
Order Processing Server (F)
Mobile App Server (C) DB Server (G)
Local DB Server (D)
0.7
0.3
1
1
Current Situation: The Mobile App Server has been compromised.
Possible futures: 1) The attacker will exploit
the local DB Server with probability 70%
2) The attacker will exploit the Order Processing Server with probability 30%
Possible courses of actions: 1) Based on the probability of individual outcomes, we could be tempted to patch the
vulnerability that has the highest probability of being exploited next 2) However, protecting the Local DB Sever, will not reduce our expected future
damage assessment, since the Mobile Order Tracking service is already compromised
3) Protecting the Order Processing Server would instead guarantee that the other service is not compromised
22
fd fd fs fs
fs fs
fs
hA hC
hE hF
hG
hD hB
Online Shopping fs
Mobile Order Tracking
Motivation for Dependency Analysis A network application usually depends on several other
network services to function correctly These network services may depend on other services
It is critical to know network service dependencies for Fault diagnosis/isolation Cyber situation awareness Response to cyber attacks
Challenges An enterprise network is usually complex and dynamic Manual analysis is error-prone and impractical
It is desirable to automatically discover network service dependencies 03/29/12 INFOCOM 2012 Peng Ning
23
fd fd fs fs
fs fs
fs
Generalized Dependency Graphs
24
hA hC
hE hF
hG
hD hB
Online Shopping fs
Mobile Order Tracking
( ) =∈∀
=otherwise ,0
1 ],1[ if ,1),,( 1
ins
lnillf
∑=
=n
iind l
nllf
11
1),,(
Dependency functions
1
0
Degraded performance
Fully working
Unusable
An Introductory Example Web Server
Depends on Authentication Server to authenticate the client Depends on DB Server for data
Client
Depends on DNS to resolve Web server’s
IP address
03/29/12
25
INFOCOM 2012 Peng Ning
Previous Solutions
Host-based schemes (e.g., Magpie [OSDI ’04], Pinpoint [NSDI ’04], Macroscope [CoNEXT ’09]) Effective Intrusive host agent/middleware Some require application semantics Not desirable due to the required changes on hosts
Network-based schemes (Sherlock [SIGCOMM ’06], eXpose [SIGCOMM ’08], Orion [OSDI ’08]) Non-intrusive Application independent False positive and false negative are both high
03/29/12 INFOCOM 2012 Peng Ning
26
Previous Solutions (Cont’d) Performance
High false positive rate with nominal detection rate
03/29/12
27
INFOCOM 2012 Peng Ning
0102030405060708090
100
0 20 40 60 80 100
Det
ectio
n R
ate
False Positive Rate
Orion Sherlock Result of Orion * Result of Sherlock*
* From Orion Publication (%)
(%)
Our Contribution
NSDMiner: New approach for automated discovery of network service dependencies Network-based Passive Focused on dependencies on the server side Superior to previous network-based approaches Significant reduction in false positives Higher detection rate
03/29/12 INFOCOM 2012 Peng Ning
28
NSDMiner Key observation
Most outgoing connections that a server depends on happen during serving the request
03/29/12
29
Client Web server
Kerberos server
Database server
INFOCOM 2012 Peng Ning
NSDMiner – A Timeline View
03/29/12
30
INFOCOM 2012
NSDMiner Algorithm NSDMiner: Analyze network traffic to correlate flows Input
TCP and UDP flows UDP flow: A sequence of UDP packets between two endpoints
where the delay between any two consecutive packets is less than a threshold
(StartTime, EndTime, Proto, SrcIP, SrcPort, DestIP, DestPort) Basic idea
Process each flow record in increasing order of StartTime Check previous flow records for potential dependencies A previous flow potentially depends on the current flow if
If the current flow is from the destination host in the previous flow, and
The current flow occurs during the previous flow 03/29/12
31
INFOCOM 2012 Peng Ning
Conclusion NSDMiner: A simple but effective method to
identify local-remote service dependencies Network based Non-intrusive Better performance than existing solutions
Limitations Rely on network activities Limited to local-remote dependencies
Future work Handle unknown service clusters Improve detection rate
03/29/12 INFOCOM 2012 Peng Ning
32
Related Publication
SECRYPT 2012
33
Arun Natrajan, Peng Ning, Yao Liu, Sushil Jajodia, Steve E. Hutchinson, "NSDMine: Automated discovery of network service dependencies," Proc. 31st Annual Int'l. Conf. on Computer Communications (INFOCOM), Orlando, FL, March 25-30, 2012, pages 2507-2515 (Acceptance ratio 278/1547).
Barry Peddycord III, Peng Ning, Sushil Jajodia, "On the accurate identification of network service dependencies in distributed systems, Proc. USENIX 26th Large Installation System Administration Conference (LISA'12), San Diego, CA December 9 14 2012
Stochastic Attack Graphs Detection Algorithm
Adversary Modeling and Scalability
34
Incorporating Attacker’s Behavior Stochastic Attack Graphs
Our goal is to incorporate knowledge of them (the attackers) into the attack model
Our assumptions Different attack paths have
different probabilities of being observed Vulnerabilities that are easier to
exploit will be exploited more frequently
There is a lower and upper bound on the time that can elapse between two consecutive exploits of an attack path
35
{(3,10),0.7} {(1,9),0.3}
{(3,7),0.3} {(1,3),1}
exploit VC on host hC
exploit VD on host hD
exploit VF on host hF
exploit V'G on host hG
exploit V''G on host hG
{(1,7),0.7}
Occurrences & Probability Computation
36
id ts type hsrc hdest 1 1 ip360.534 hX hA
2 3 ip360.552 hA hC … … … … …
When an alert for VC is received, 2 time units have elapsed since
an alert for VA was received
Independence assumption prob(⟨o1, …, ok⟩, A) = Πi∈[1,k-1] τi(xi, yi)
2 falls between lower and upper bound
Probability = 0.3
aler
ts
VA
VC VB
observation sequence O v VA
VC
…
exploit
{(0,10),0.7} {(0,10),0.3}
An occurrence of A in O is a sequence O* = ⟨o1, . . . , ok⟩ ⊆ O
Index Update/Detection Algorithm
37
Algorithm updateIndex updates an index when a new alert is received
Algorithm updateIndex can be used iteratively for processing an entire observation sequence at once (bulkUpdate)
Check if the exploit(onew) is a start node for an attack
onew
Check index tables associated with predecessors of
exploit(onew)
Check if the exploit(onew) is an end node
Index
10 33 ip360.534 hX hY
Assess marginal damage of exploit(onew)
Time Frame Pruning (TF) 38
Under the Time Frame pruning strategy, for each new each alert onew, algorithm updateIndex avoids scanning records that cannot be linked to onew
tablesG(v') curr actI
D t0 prob Δd prev next
• A1 2 0.6 12 • ⊥ • A2 1 0.7 2 • ⊥ • A1 4 0.8 13 • ⊥ • A3 7 0.9 8 • ⊥ • A4 9 0.5 18 • ⊥
too old to be linked
can still be linked
Attack Scenario Analysis 39
Damage Assessment 40
Each service/mission has an associated utility A service/mission depends on one or more network components
If any of them is compromised, the service/mission is affected and its utility is reduced
The damage caused by a cyber attack is proportional to the total loss of utility of services/missions affected by the attack
For each possible future of the current situation, we can assess damage Attack graphs indicate which assets might be directly
compromised Dependency graphs indicate which assets/services
are affected as a consequence
Attack Scenario Graphs 41
vD ∨ vE ∨ vF
vB∨ vC
{(3,10),0.7} {(1,9),0.3}
{(1,3),0.8} {(2,7),0.2}
{(1,8),1}
{(1,7),1}
{(3,7),1}
{(1,3),1}
0.8
1
0.7
0.7
1
0.7
vA
vE
vC
vF
vG
vD
hA,fs
8
hE, fs
7
hC, fs
7
hF, fs
7
hG 8
hD, fd
5
hB, fd 5
hS, fs
10
hT, fs
7
0.8
Δd = 14
Δd = 22.9
Δd = 3.5
vB
( ) )()()(1 huhshsdamageHh
ii ⋅−=∆ ∑∈
−
Ranking Future Scenarios 42
Algorithm rankFutureScenarios, predicts possible futures – of length k or less – of the current situation and assesses their likelihood and marginal damage Predicted scenarios are ranked by a measure of criticality
accounting for both probability and marginal damage
A criticality function can be defined as any function of the form f : [0, 1] × R → R that satisfies the following monotonicity axioms (∀Δd ∈ R) p1 ≥ p2 ⇒ f(p1,Δd) ≥ f(p2,Δd) (∀p ∈ [0, 1]) Δd1 ≥ Δd2 ⇒ f(p,Δd1) ≥ f(p,Δd2)
In the simplest case, we can estimate the criticality of a future as the product of its probability and marginal damage
Experimental Evaluation 43
Experimental Results 44
Experiments were conducted on both real (786 nodes) and synthetic (up to 300 thousand nodes) attack graphs In both cases we used the graphs to simulate a
number of attack occurrences and generate a stream of 3 million alerts
We measured
The time to build the index The consumption of memory The time to compute future scenarios
Real Attack Graph Used in Experiments
45
Total number of machines 64
Total number of exploits 786
Number of inter-domain edges 182
Number of edges in fully exploded graph 266,770
Index Building Time vs. Num. of Alerts
46
100
1 000
10 000
100 000
1 000 000
1 000 10 000 100 000 1 000 000 10 000 000
Inde
x bu
ildin
g tim
e (m
s)
Number of alerts
404 nodes (real) 786 nodes (real) 10K nodes (syn) 30K nodes (syn) 100K nodes (syn)
• The time to build the index increases linearly with the number of alerts
• The algorithm can process between 20 and 30 thousands alerts per second
• There is no significant difference between results on real and synthetic attack graphs
• The size of the graphs does not significantly affect the index building time
Index Building Time vs. Graph Size
47
100
1 000
10 000
1 000 10 000 100 000 1 000 000
Inde
x bu
ildin
g tim
e (m
s)
Number of nodes
10,000 alerts 30,000 alerts 100,000 alerts
• When the size of the merged graph changes by orders of magnitude, the processing time increases slightly
• The slight increase can be attributed to the overhead of managing a larger number of tables
Index Size vs. Graph Size 48
10
100
1 000
10 000
100 000
1 000 10 000 100 000 1 000 000
Inde
x si
ze (K
B)
Number of nodes
10,000 alerts 30,000 alerts 100,000 alerts
• Memory occupancy increases linearly with the number of alerts processed
• Memory occupancy is independent of the size of the graphs
Prediction Time vs. Depth k 49
-
50
100
150
200
250
300
- 2 4 6 8 10
Tim
e (m
s)
k
1,000 nodes 10,000 nodes 100,000 nodes
• As k increases, processing time increases exponentially, but becomes stable as k becomes comparable with the length of individual attack patterns
• Processing time is not significantly affected by the size of the graphs when k is small
Related Publication
SECRYPT 2012
50
Massimiliano Albanese, Sushil Jajodia, Andrea Pugliese, V. S. Subrahmanian, "Scalable analysis of attack scenarios," Proc. 16th European Symp. on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 6879, V. Atluri and C. Diaz, eds., Leuven, Belgium, September 12-14, 2011, pages 416-433 (Acceptance ratio 36/155).
Questions? 51